blog News arrived this week of another national thinktank releasing a report warning Australia of the dangers of not paying attention to the “cybersecurity” situation in the new millennium. The Australian newspaper has got its hands on a report by the Kokoda Foundation a month ahead of the report’s launch (and no, they won’t give it to us as well, we asked this morning), which reportedly states:
“A large part of the Australian population does not comprehend the scale of the growing cyber threat, nor the potential impact of that threat on personal and national wellbeing … That lack of understanding, and therefore commitment to addressing that threat, is a fundamental weakness in the individual and collective security of Australians.”
Now I’m in two minds about these sorts of reports.
Firstly, there is no doubt that yes, as each and every piece of critical Australian infrastructure eventually gets connected to IP-based networks (and therefore, usually ultimately the internet, firewalls notwithstanding), that infrastructure becomes more vulnerable to attack. And, if you examine previous audits of government infrastructure, you will find that the Australian public sector is full of IT security holes.
However, can anyone be in any doubt, that when you interview a bunch of “cybersecurity experts” for a report like this, that they will conclude in those interviews that the threat is growing, and that the nation needs to throw more money at the area? Apart from the fact that making such statements would be self-serving, it’s important to understand that experts always see things through the lens of their own expertise.
As anyone who works in security will tell you, securing infrastructure is not about providing failsafe solutions. It is about functionality/risk scenarios. If you open up a certain piece of infrastructure to a certain level of access, that level will come with a certain element of risk. You can never completely secure anything — it’s a scale.
In this context, it’s not useful for reports on this area to make motherhood statements about Australia’s cybersecurity situation. What would be much more useful is specific details about how and to what level Australia should be securing each individual piece of infrastructure in our possession.
In addition, what would be even more useful — extremely so — is to document actual examples where there have been “cyber-attacks” (whatever that phrase means). Even if you maintain the anonymity of the various players in such events, recording and publishing them would tell us much about the real nature of the threat, whatever it may be.
Maybe the Kokoda Foundation’s report does contain this information; I guess we’ll find out next month. Until that stage, however, it’s my opinion that the thinktank’s report hasn’t moved the public debate on this issue forward one millimetre.